From ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 3 Nov 2020 03:15:10 +0100 Subject: Bacula: refactor systemd service files. Use unit overrides on top of upstream's service files instead of overriding entire service files. In particular, upstream uses flag `-P` so we don't need to use RuntimeDirectory= anymore. --- .../files/etc/systemd/system/bacula-fd.service | 25 ---------------------- .../system/bacula-fd.service.d/override.conf | 13 +++++++++++ 2 files changed, 13 insertions(+), 25 deletions(-) delete mode 100644 roles/common/files/etc/systemd/system/bacula-fd.service create mode 100644 roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf (limited to 'roles/common/files/etc') diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service deleted file mode 100644 index 119b3a2..0000000 --- a/roles/common/files/etc/systemd/system/bacula-fd.service +++ /dev/null @@ -1,25 +0,0 @@ -[Unit] -Description=Bacula File Daemon service -After=network.target - -[Service] -Type=simple -StandardOutput=syslog -ExecStart=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf - -# Hardening -NoNewPrivileges=yes -ProtectHome=read-only -ProtectSystem=strict -ReadWriteDirectories=/var/lib/bacula -RuntimeDirectory=bacula -PrivateTmp=yes -PrivateDevices=yes -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -CapabilityBoundingSet=CAP_DAC_READ_SEARCH - -[Install] -WantedBy=multi-user.target diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf b/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf new file mode 100644 index 0000000..537bf1e --- /dev/null +++ b/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf @@ -0,0 +1,13 @@ +[Service] +# Hardening +NoNewPrivileges=yes +ProtectHome=read-only +ProtectSystem=strict +ReadWriteDirectories=/var/lib/bacula +PrivateTmp=yes +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +CapabilityBoundingSet=CAP_DAC_READ_SEARCH -- cgit v1.2.3